Schneier on Security
A blog covering security and security technology.
« Op-ed Explaining Why Terrorism Doesn't Work |
| Stratfor on the Phoenix Serial Flashlight Bomber »
June 25, 2012
There was a conference on resilience (highlights here, and complete videos here) earlier this year. Here's an interview with professor Sander van der Leeuw on the topic. Although he never mentions security, it's all about security.
Any system, whether it’s the financial system, the environmental system, or something else, is always subject to all kinds of pressures. If it can withstand those pressures without really changing its behavior, then it’s robust. When a system can’t withstand them anymore but can deal with them by integrating some changes so the pressures fall off and it can keep going, then it’s resilient. If it comes to the point where the only choices are to make fundamental structural changes or to cease existence, then it becomes vulnerable.
I’ve worked a lot on the end of the Roman Empire. Let’s go back to sometime before the end. The Roman Empire expands all around the Mediterranean and becomes very, very big. It can do that because wherever it goes, it finds and then takes away existing treasure that has been accumulated over the centuries before. That treasure pays for the army, it pays for the administration, it pays for everything. But there’s a certain moment, beginning in the third century, when there is no more treasure to be had. The empire has already taken in all of the civilized world. At that point, to maintain its administration and military and feed its poor, it must depend basically on the annual yield of agriculture, or the actual product of solar energy. At the same time, the empire becomes less attractive because it has less to offer, because it has less extra energy. So now it has to deal with all kinds of unrest, and ultimately, the energy that it has available for its administration is no longer sufficient to maintain the empire. So between the third century and the fifth century, the empire has to make changes. That is the period when it adapts its behavior to all kinds of pressures. That is the resilience period. At the end of that period, when it is no longer able to maintain that, it quickly becomes vulnerable and falls apart.
And here's sort of a counter-argument, that resilience in national security is overrated:
But it can go wrong. Rebuilding a community that sits in a flood zone shows plenty of resilience but less wisdom. American Idol contestants who have no singing ability but compete year after year are resilient -- and delusional. Winston Churchill once joked that success is the ability to go from failure to failure without losing your enthusiasm. But there is a fine line between perseverance and stupidity. Sometimes it is better to give up and pursue a different course than continuing down the same failing path in the face of adversity.
The potential problems are particularly acute in foreign affairs, where effective resilience requires a tireless effort to adapt to changes in the threat environment. In the world of national security, bad things don’t just happen. Thinking, scheming people cause them. Allies and adversaries are constantly devising new ways to serve their own interests and gain advantage. Each player’s move generates countermoves, unintended consequences, and unforeseen ripple effects. Forging an alliance with one insurgent group alienates another. Hardening some terrorist targets leaves others more vulnerable. Supporting today’s freedom fighters could be arming tomorrow’s enemies. Effective resilience in this realm is not just bouncing back and trying again. It is bouncing back, closing the weaknesses that got you there in the first place, and trying things differently the next time. Adaptation is key. A country’s resilience hinges on being able to adapt to continuously changing threats in the world.
Honestly, this essay doesn't make much sense to me. Yes, resilience can be done badly. Yes, relying solely on reslience can be sub-optimal. But that doesn't make resilience bad, or even overrated.
EDITED TO ADD (7/14): Paper on resilience and control systems.
Posted on June 25, 2012 at 11:17 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think that last bit was more effectively stated by the despair.com folks: "winners never quit, and quitters never win, but those who never win and never quit are idiots."
More intelligibly, if people perceive their system as resilient they will be less willing to spend real resources to adapt to the new environment and threats; the ideal system in this view would be one which is in fact very resilient, but whose members think that it is brittle and so are very willing to adapt.
"At that point ... it must depend basically on the annual yield of agriculture, or the actual product of solar energy."
*chuckle* The fall of the Roman Empire was due to it's reliance on Solar Power...
Resilience as a policy bullet-point or a cornerstone of institutional management will mean that the people who implemented the status quo ante are going to have to keep coming back to explain why it will be most resilient to set up the old policy again after it's fallen over (see Too Big to Fail.)
The Slate article reads as though it's about resilience, but the actual issues are more the ones from John Gall's _Systemantics_.
Sounds like the Roman Empire was a Ponzi Scheme that ran out of targets...
The constant demand for growth will outpace available supply at some point and the strategy has to adapt. Larger organizations are more resilient to day-to-day changes but more vulnerable to major changes. This growing organization provides new ideas and inventions causing major changes.
Missing or mistiming the needed change of strategy at the end of growth is destructive. Picking the wrong target during the growth cycle is just as destructive.
JP. ALL Empires are Ponzi schemes and all eventually run out of targets.
The US empire has its bases all round the world; whether it likes it or not it IS the empire and it is running out of targets.
It has certainly systematically looted the world for treasure and is now looting it for the money it used to pay for that treasure. But a few years ago George Soros warned that the relentless flow of funds and resources from the rest of the world into the US was not sustainable and would lead to a crash.
Guess we are just about there now. Question is, can the US adapt to its new environment? If Cheney's "the American way of life is not negotiable" still applies, we can look forward to fracture rather than bend.
When a system can withstand pressures, even from a thinking, scheming adversary, I call that "Machiavellian robustness". It's similar to the older and slightly less general concept of "Byzantine robustness". Search engine fodder, if you are interested in that sort of thing.
Please read some of the relevant history before writing things about the Roman Empire you may later find embarrassing.
The Fifth Century collapse was the result of two exogenous shocks, spaced roughly 150 years apart: the rise of the Sassanid dynasty in Persia (roughly AD 226) and the rise of the Hunnish Empire.
Neither event was anything the Romans could have affected, even if they'd been able to tell the future. And the effect of each was more indirect than direct.
The Sassanid dynasty made Persian heavy cavalry far more than just a hypothetical threat. That meant that Rome didn't have the military manpower to spare for the next set of dynastic civil wars. When they happened anyway, it was kitty bar the door.
And the problem with the Hunnish Empire was mostly the bow shock of its formation. Fritigern's Goths were on the move, and desperate, because they were refugees. They were dangerous, because they were refugees who arrived in a militarily significant concentration, under arms, and under their own leaders. The same way all the later waves did, for the next 50 years.
Luttwak's book on Roman grand strategy looked at (among other things) the runup to the Third Century Crisis. Peter Heather has a good book describing the endgame in the late 4'th to late 5'th centuries. But there are lots of other sources; this isn't a poorly understood sequence of events.
"But it can go wrong. Rebuilding a community that sits in a flood zone shows plenty of resilience but less wisdom."
That's certainly doggedness, but is it really a good example of the jargon usage of 'resilience'? The ability to buy replacements when things break doesn't sound like a concept that needs a new jargon term (or a conference).
Being able to adapt and continue operations during and after a flood, on the other hand, would seem to be more in line with the definition presented. So, "Noah's Ark" would be the comparable example, at least in the field of animal husbandry.
What a muddled mess...
"If it can withstand those pressures without really changing its behavior, then it’s robust."
No, it's powerful. It survives by overpowering adversity. Were it "robust", it would survive without needing to overpower.
"When a system can’t withstand them anymore but can deal with them by integrating some changes so the pressures fall off and it can keep going, then it’s resilient."
No, then it's adaptive. And reactive.
"If it comes to the point where the only choices are to make fundamental structural changes or to cease existence, then it becomes vulnerable."
If it decayed due to external pressure, then it was already vulnerable to those pressures; if it refuses to change now, it's probably doomed.
"But that doesn't make resilience bad, or even overrated."
No, but choosing, by default, to be reactive rather than proactive -- which is what this mess is really saying -- is definitely not a good thing.
Also of interest to the fall of the Roman Empire was what was going on in Rome it's self.
They had an issue with the ruling class not having children and many going mad.
It has been suggested (and it's an interesting idea) that it was heavy metal poisoning from the use of lead. There have been some quite heated arguments back and forth on this idea between scholars for well over fifty years.
The Romans used lead for making water pipes (as we did in London during the Victorian era) what the Romans also did was use it for making or lining cooking pots. Which the "cooks" of the Roman "gentry" used for reducing wine to make sauces for food which would leach a fair amount of the lead into solution. To make it worse towards the end of the empire the wine would almost certainly have been adulterated by various "additives" including lead acetate.
Further the Romans also used to ßsssssssssssssssssssssssssssssssssssssssss
Thus it might well be the case that the Roman leaders had heavy metal poisoning which would account for the lack of children and the apparently mad behaviour some of the leaders exhibited.
If you want to see a fairly balanced view on the subject,
Also, the peace and extend of the Roman empire, and the size of its cities, supported massive epidemics. When the Germanic people were entering, Italy was already depopulated.
At one time, the Eastern empire had almost reconquered the Western part. The conquest was stopped when a plague wiped out a third of the population.
@rlmrdl: Nut just the US. The whole central banking system is a Ponzi scheme. And it's starting to fail now that resources are getting scarce.
@ All posters of the various reasons that the Roman empire went down: What do you think; would any of their 'risk "models"' have accounted for these systemic and black-swan risks ...?
looks to me only black swan risk is the occurrence of several high impact risks approximately around the same time. None of them killed the RE by itself but their cumulative and long lasting effect did it....
would any of their 'risk "models"' have accounted for these systemic and black-swan risks ...?
The issue with lead was by no means a "black swan" issue for the Romans, some of them actually identified lead as a source of poison and described the symptoms of lead poisoning in their contemporary writing.
For some reason my phone appears to have thrown a wobler during my previous post...
The paragraph with the line of 'ssss' in it should have read,
"Further the Romans also used to take red grape must (raw unfermented grap juice) and reduce it by simmering off excess water content in large lead or lead lined vessels (because the "flavour was better than in other metals and did not suffer the build up of verdigris). The reduction used to be by between 1/2 and 2/3 which is likly to have very high lead content in the remaining 1/3. The resulting liquid was used as a sweetening agent in wine and as a preservative in other comestables, and thus the total lead intake of the "gentry" would easily have been enough to cause lead poisoning.
Honestly, this essay doesn't make much sense to me. Yes, resilience can be done badly...
I think the problem you have is with which sort of resilience they are talking about.
An effective entity shows resilience by modifiing and adapting to a changing environment. This is outwards facing resilience and what is desirable.
However an ineffective entity shows resilience by either not modifing or adapting it's behaviour or worse returns to an original ineffective state even though it has been changed by those with the authority to do so. This is inwards facing resilience and is usually very undesirable at all levels outside of the entity.
It's like looking for the difference between "a business man" and "a bureaucrat". A business man survives and prospers by not following rules and this usually involves risk. A bureaucrat however survives by following all the rules and taking no risk what soever. Unfortunatly bureaucrats have three rule books, the first is effectivly their departmental chater and related laws as laid down by the politicians, the second is the official department rules by which the charter and relevant laws are interpreted and the third is those "unofficial, unwritten rarely spoken house rules". Templates for which can be found in the likes of "The Prince" etc.
Back around the time of World War Two, in a little book shop at the bottom of Pond St Hampsted in North London a man working for the BBC and indirectly one or two MI's was writting some essays and books. In them he identified much of the ills that currently beset our Western (representational) democracies. One of his most famous relates the tale of a man living in a very represive state he is called Winston Smith and the year is 1984. Those who have read the book and other George Orwell books such as Animal Farm will see that George was wrong in a couple of areas, firstly he set it a quater of a century to soon and secondly he indicated that the state effectivly forced the surveillance technology onto the people. Where as we have chearfully gone out and purchased it either with money or by accepting the faustian bargin of not paying with money but by allowing our private lives to be mined to almost unimaginable depth and then sold over and over to those with money.
The other things such as "Big Bother", "Spin", "New Speak" have all proved to be remarkably prescient. Oh and as for "Room 101" could it be the model for an out of state internment camp where orange jumsuits are required apparel?
I think that the concept of resilience encompasses security, but is also about dealing with the low likelihood, high consequence events that affect a company's/organisation/system longevity. That does not mean that a security approach and the development of a security culture isn't extremely important. It is more that the organisation or system needs to develop ways to adapt and change because inherently as it gets bigger it becomes more brittle and consequently more subject to catastrophic shock.
For those who might be a little shaky on the derivation of "resilience" a little bit of history is required.
The technological use of the term resilience originaly arose with Control System Theory and has evolved to cover Information Systems and Organisational Theory. However it's original meaning has both broadend and deepened in meaning and more recently has come to cover other aspects including malicious actors and Cyber Security.
A group of researchers (Craig Rieger, David Gertman and Miles McQueen) from Idaho National Laboratory produced a paper in May 2009 called
Control Systems: Next Generation Design Research
Which was presented at the 2nd IEEE Conference on Human System Interaction (HSI2009). For those without IEEE membership a preprint can be downloaded,
In their paper they define resilience as,
A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature.
I slightly disagree with this definition as I think the last "and" should actually be an "or". That is threats can be "unexpected", "malicious" or both as this would then also cover unintended effects of outsider attacks, insider attacks and otherwise normal actions of benign entities.
The important part of the definition however is "one that maintains state awareness" this actual implies "proactive" rather than "reactive" system behaviour. That is a system rather than "bend in the wind" actually "turns into the wind" to minimise it's windage surface thus alowing better use of the system strengths.
The paper is quite short and reasonably readable and illuminating / instructive in many ways.
@ Clive Robinson
"For some reason my phone appears to have thrown a wobbler ..."
Clive, my friend! That wobbler maybe a key logger! Flash your phone again. Hopefully that logger is not a blue pill type one that sits in your favorite hypervisor. Matrix blue pill, that is -- not the Pfizer one :)
As Stormcrow said it sounds like the auther knows only what he has learnt from Hollywood sword and sandle movies.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.